Page 3 of 6 FirstFirst 123456 LastLast
Results 51 to 75 of 139
  1. #51
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by yourwebhostereu View Post
    Yes there is but you can disable access for that account.
    True, but the fact it's there (in addition to the default "ADMIN/ADMIN" account is pretty strange. Just changing the main ADMIN password isn't enough, and it wouldn't surprise me if this was overlooked on some deployments. To be honest I didn't notice it until recently when I was messing around with IPMItools.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  2. #52
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by FastServ View Post
    True, but the fact it's there (in addition to the default "ADMIN/ADMIN" account is pretty strange. Just changing the main ADMIN password isn't enough, and it wouldn't surprise me if this was overlooked on some deployments. To be honest I didn't notice it until recently when I was messing around with IPMItools.
    We've always blocked the anonymous account .. That is one of our steps when "building" a server.

  3. #53
    Join Date
    Aug 2008
    Posts
    536
    Quote Originally Posted by FastServ View Post
    True, but the fact it's there (in addition to the default "ADMIN/ADMIN" account is pretty strange. Just changing the main ADMIN password isn't enough, and it wouldn't surprise me if this was overlooked on some deployments. To be honest I didn't notice it until recently when I was messing around with IPMItools.
    True, I don't even know why there is an anonoymous account. It can only be a security hole, that's for sure. If you want to give somebody access you'll create a new account or a general account with an other name.
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  4. #54
    Quote Originally Posted by yourwebhostereu View Post
    True, I don't even know why there is an anonoymous account. It can only be a security hole, that's for sure. If you want to give somebody access you'll create a new account or a general account with an other name.
    the "anonymous" account, by default, has full admin rights with no password. On some versions of IPMI you can delete this account, on other versions, all you can do is either change the password, or set the account access type to "no access". Either way, the default is very insecure.
    IOFLOOD.com -- We Love Servers
    Phoenix, AZ Dedicated Servers in under an hour
    ★ Ryzen 9: 7950x3D ★ Dual E5-2680v4 Xeon ★
    Contact Us: sales@ioflood.com

  5. #55
    Join Date
    Aug 2008
    Posts
    536
    Quote Originally Posted by funkywizard View Post
    the "anonymous" account, by default, has full admin rights with no password. On some versions of IPMI you can delete this account, on other versions, all you can do is either change the password, or set the account access type to "no access". Either way, the default is very insecure.
    You don't have to tell me which rights the account has, all I'm saying is that I don't understand why there is an anonymous account by default.
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  6. #56
    Quote Originally Posted by yourwebhostereu View Post
    You don't have to tell me which rights the account has, all I'm saying is that I don't understand why there is an anonymous account by default.
    clueless, wet behind the ears junior comp sci graduate who cribbed every single assigment and test who spends most of his time on twitfacespace.

    all of the defenses were well known before the advent of the internet. seems like they've been forgotten.

    they even make it harder to defend yourself. for example, the insistence on prohibiting deletion of "root", and the insistence that ssh has to be port 22. after all, the programmer knows what's best for you. not.

    about the only thing you can do to defend such a poor implementation is by using an external device, or turn it off.

    in one particular implementation of ipmi, the https channel is actually safer than the ssh channel. but only marginally so because the single difference is the ability to use a arbitary port. security by obscurity. not exactly a shining example of a best practise, but better than waiting for scans on port 22.
    Last edited by plumsauce; 11-09-2010 at 06:23 AM.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  7. #57
    Join Date
    Nov 2010
    Location
    Rochester, NY
    Posts
    77

    How does Super Doctor III compare to IPMI

    I do not have any servers, but was looking at buying an A+ 1U server to co-locate. Super Micro shows a system called Super Doctor III on all their motherboards pages. I assume this is different from IPMI.

    Has anyone used this? How does it compare? As leaky? The motherboard I was looking at was H8DGU & does not show IPMI. Is this an Opteron trade-off? FYI, I favored this over Xeon, because the service I will be providing is massively parallel / HPC. My process could easily floor a minimum of 400 cores & 15k cores in some spots, not for very long though. This 24 core system seemed ideal, until I saw this thread.

  8. #58
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    Quote Originally Posted by AI_Guy View Post
    Super Micro shows a system called Super Doctor III on all their motherboards pages. I assume this is different from IPMI.
    I've never used it myself, but I believe it is software that you would run on the server itself.

    Quote Originally Posted by AI_Guy View Post
    The motherboard I was looking at was H8DGU & does not show IPMI.
    The H8DGU-F has IPMI.
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  9. #59
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by AI_Guy View Post
    I do not have any servers, but was looking at buying an A+ 1U server to co-locate. Super Micro shows a system called Super Doctor III on all their motherboards pages. I assume this is different from IPMI.

    Has anyone used this? How does it compare? As leaky? The motherboard I was looking at was H8DGU & does not show IPMI. Is this an Opteron trade-off? FYI, I favored this over Xeon, because the service I will be providing is massively parallel / HPC. My process could easily floor a minimum of 400 cores & 15k cores in some spots, not for very long though. This 24 core system seemed ideal, until I saw this thread.
    SDIII, not to be confused with IPMI or any other kind of lights-out managementm is basically a Windows GUI-based sensor monitoring app that takes it a bit farther with SNMP hooks, ect. Most main boards have the same sensors.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  10. #60
    Join Date
    Nov 2010
    Location
    Rochester, NY
    Posts
    77
    Thanks bqinternet, I was looking at the page for the wrong board. The '-F' version has IPMI 2.0. The AS-1022G-NTF bare bones system, CompSource $827, does indeed use the '-F' version.

    Looked at the Supero Doctor manual. Yes FastServ, it is an app on the server with a Windows Client. It also does not do much unless your server is also Windows based. Thanks for the clarification. No need for me to look any further at it.

  11. #61
    I don't think the embedded impi microsystem would be able to run anything that could spam emails... its very limited in resources and not 'rootable' to my knowledge, even with access... It's possibly somebody is MAC spoofing and stole the IP to flood spam, as I'm sure spammers have learned to do, and an IMPI device would be the ideal candidate to 'kick off' the network to achieve this. Probably why you can't connect to it too.

    Very simple to test for this ---physically unplug the impi and try to ping it, if it responds, you got yourself a spoofer.

  12. #62
    Join Date
    Jul 2008
    Location
    Dallas, TX
    Posts
    107
    Quote Originally Posted by FastServ
    Anyone else notice a default ADMIN account with 'anonymous' login credential on the IPMI 2.0 (aka X8SIL-F)?
    Quote Originally Posted by SC-Daniel View Post
    Yep, my last 2 X8SIL-F boards have had an anonymous account with full admin rights on them by default.
    I'm pretty sure unless you set a password on this account no one can login with it. However on the latest firmware if you try to delete it it doesn't tell you that you are not allowed to delete it. It just acts like you have not selected a user to delete.

  13. #63
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    Quote Originally Posted by tweak2 View Post
    I don't think the embedded impi microsystem would be able to run anything that could spam emails
    It can. I've seen it do it, and I informed Supermicro of it. We had a new H8SGL-F board that wasn't yet moved to a private IP, and sure enough, we got a spam report for its IP. The ADMIN password is always changed immediately, so I don't know how spammers got in.
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  14. #64
    Quote Originally Posted by bqinternet View Post
    It can. I've seen it do it, and I informed Supermicro of it. We had a new H8SGL-F board that wasn't yet moved to a private IP, and sure enough, we got a spam report for its IP. The ADMIN password is always changed immediately, so I don't know how spammers got in.
    Ditto, used a 20 alphanumspecialchar password, 3 days later, another complaint. Moving them all (x7spa-hf) behind IPv6 now. Haven't heard anything since the only SM reply I got, and sent them a copy of the most recent complaint.

  15. #65
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by Lockjaw View Post
    Ditto, used a 20 alphanumspecialchar password, 3 days later, another complaint. Moving them all (x7spa-hf) behind IPv6 now. Haven't heard anything since the only SM reply I got, and sent them a copy of the most recent complaint.
    I still also did not receive SuperMicro answers to this issue.

    We should all move our IPMI interfaces to internal addresses.

  16. #66
    Join Date
    Jul 2008
    Location
    Dallas, TX
    Posts
    107
    Quote Originally Posted by bqinternet View Post
    It can. I've seen it do it, and I informed Supermicro of it. We had a new H8SGL-F board that wasn't yet moved to a private IP, and sure enough, we got a spam report for its IP. The ADMIN password is always changed immediately, so I don't know how spammers got in.
    I'm not sure about the H8SGL-F but on the X8SIL-F if you try to login with no user/pass entered it does not work. If you try to login with the username Anonymous it tells you, you need a password. If you try Anonymous/Anonymous it does not work either.

  17. #67
    Quote Originally Posted by Ryan G - Limestone View Post
    I'm not sure about the H8SGL-F but on the X8SIL-F if you try to login with no user/pass entered it does not work. If you try to login with the username Anonymous it tells you, you need a password. If you try Anonymous/Anonymous it does not work either.
    I noticed the same thing when noticing the anonymous account in the past, there was no obvious way of logging into it.

  18. #68
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    X8STI-F

    PHP Code:
    # netstat -nalpt
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0
    :5120            0.0.0.0:*               LISTEN     411/cdserver
    tcp        0      0 0.0.0.0
    :5123            0.0.0.0:*               LISTEN     445/fdserver
    tcp        0      0 0.0.0.0
    :5988            0.0.0.0:*               LISTEN     334/sfcbd
    tcp        0      0 0.0.0.0
    :555             0.0.0.0:*               LISTEN     242/webgo
    tcp        0      0 0.0.0.0
    :5900            0.0.0.0:*               LISTEN     453/stunnel4
    tcp        0      0 0.0.0.0
    :5901            0.0.0.0:*               LISTEN     393/adviserd
    tcp        0      0 0.0.0.0
    :623             0.0.0.0:*               LISTEN     286/
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     230/webgo
    tcp        0      0 0.0.0.0
    :443             0.0.0.0:*               LISTEN     230/webgo
    tcp        0      0 127.0.0.1
    :8765          0.0.0.0:*               LISTEN     393/adviserd
    tcp        1      0 127.0.0.1
    :38849         127.0.0.1:623           CLOSE_WAIT 230/webgo
    tcp        1      0 127.0.0.1
    :34140         127.0.0.1:623           CLOSE_WAIT 230/webgo
    tcp        1      0 127.0.0.1
    :38850         127.0.0.1:623           CLOSE_WAIT 230/webgo
    tcp6       0      0 
    :::22                   :::*                    LISTEN     375/dropbear 
    Lots of open ports.

    PHP Code:
    # iptables --list
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination

    Chain FORWARD 
    (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT 
    (policy ACCEPT)
    target     prot opt source               destination 
    You've got iptables to block them off or limit access at least...
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  19. #69
    Join Date
    Jul 2008
    Location
    Dallas, TX
    Posts
    107
    Did Supermicro ever follow-up about this?

  20. #70
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by Ryan G - Limestone View Post
    Did Supermicro ever follow-up about this?
    I didn't receive a follow up.

  21. #71
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,178
    Honestly I think it's best to just either put IPMI behind a firewall or to disable the switch ports unless you actually need access. Yes, it's going to cause another minute or two delay in an emergency situation, but I'd personally rather have that happen than have somebody potentially brute force a password and then be able to power down servers, or worse.

    Spam is definitely a bad thing, but them potentially gaining full control over the IPMI Device could be much worse.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,800 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  22. #72
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    Quote Originally Posted by brc_csf View Post
    I didn't receive a follow up.
    Either did I. It might be time to check in with them again.
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  23. #73
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Found a compromised BMC on a X8SIL-F the other day. Interesting because it uses the SMASH and not a normal Bash shell.

    Either way, turns out the guest account was being used as an SSH tunnel -- so that explains how some of you may have seen spam or other 'odd' activity originating from your BMC. This particular BMC attracted a multi-gigabit DDOS so they were certainly using it to piss somebody off, although we didn't see any spam reports.

    Due to the extreme limitations imposed by SMASH I wasn't able to dig much further. But it does appear they did more than tunneling -- they managed to add other users that weren't visible in the web interface. In addition to this several parts of the web interface were malfunctioning (sensor readings) and they had somehow blocked the local network from access. I can only imagine they somehow got access to a normal shell to be able to do these things.

    A firmware upgrade did not resolve this, it took a factory reset to get things back under control.

    And before anyone jumps all over me for having an IPMI device on a public interface, it was a colo client no one of our own systems.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  24. #74
    Join Date
    Dec 2004
    Posts
    569
    Either way, turns out the guest account was being used as an SSH tunnel
    So a matter of the customer forgetting to disable the guest account, rather than a vulnerability in the BMC?


    Quote Originally Posted by FastServ View Post
    Due to the extreme limitations imposed by SMASH I wasn't able to dig much further.
    Try the "shell" command

    Code:
    ssh ADMIN@192.168.88.245
    ADMIN@192.168.88.245's password: 
    Auth User/Pass with PS...pass.
    
    ATEN SMASH-CLP System Management Shell, version 1.00
    Copyright (c) 2008-2009 by ATEN International CO., Ltd.
    All Rights Reserved
    
    
    -> shell sh
    Change shell to sh
    # ls
    SFCB        bin         dropbear    lib         lost+found  proc        sys         usr         web
    SMASH       dev         etc         linuxrc     nv          sbin        tmp         var         wsman

  25. #75
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by Maxnet View Post
    So a matter of the customer forgetting to disable the guest account, rather than a vulnerability in the BMC?

    Try the "shell" command
    It would appear so...guest account has root privs on SSH. Gotta love it

    I really wanted to dig around to be sure...wish I knew about the shell command so I could poke around or maybe grab a filesystem snapshot before blasting it back to factory.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

Page 3 of 6 FirstFirst 123456 LastLast

Similar Threads

  1. Supermicro IPMI Issue
    By XFactorServers in forum Colocation, Data Centers, IP Space and Networks
    Replies: 9
    Last Post: 08-23-2010, 02:29 PM
  2. SuperMicro 's IPMI
    By Peter-SexyWing in forum Colocation, Data Centers, IP Space and Networks
    Replies: 16
    Last Post: 07-10-2010, 04:51 PM
  3. supermicro ipmi installation
    By phactor in forum Systems Management Requests
    Replies: 5
    Last Post: 04-02-2010, 02:57 PM
  4. Supermicro IPMI
    By opax in forum Colocation, Data Centers, IP Space and Networks
    Replies: 6
    Last Post: 04-29-2009, 12:13 PM
  5. Supermicro IPMI
    By DevelopAl in forum Colocation, Data Centers, IP Space and Networks
    Replies: 14
    Last Post: 03-10-2006, 02:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •